Analysis Date2014-04-23 09:36:50
MD53d444c45dfa46b0a52c44acb599b43e6
SHA12409c61bcf8ff5d314cc6cda0fe64abff6818f5c

Static Details:

File typePE32 executable for MS Windows (console) Intel 80386 32-bit
Section.text md5: 9bac96a25f36d087cec0dfa89da2e9d9 sha1: 2dcce220a2c2a6cf10c9043523aadf131db69b10 size: 56832
Section.rdata md5: cc02373a727f9b0d8997a5e42a7af3e4 sha1: 8b26adbba5a4a0edd39ee6ce8eda630c6905e117 size: 6656
Section.data md5: cedd609cbc9adb4412517646fdc6c8ae sha1: cacdfda7a3eef0a292b2178df13b78bf84e2541a size: 13824
Section.rsrc md5: 0ce763433c42cb0a5816e7b1cfe4c358 sha1: 23bf63f653115bce11fb29a985684aeddc2c010e size: 1024
Section.text md5: 34a4794e0eced445655ceb3e735f1ed2 sha1: 2a8afb307b31c47726fd9463e3a9364771563839 size: 154112
Timestamp2007-01-17 10:40:00
VersionCompanyName: Autodesk
ProductName: Autodesk Licensing Service
FileVersion: 2.80.011
FileDescription: System Level Service Utility
PEhashcdc402fdc3598eccdfa50e827c05f3f93b8ddd42
IMPhash1e82152a9f383f8d492ea08036a42cab
AVavgWin32/Zbot.G
AVaviraW32/Ramnit.C
AVmsseVirus:Win32/Ramnit.N
AVclamavW32.Ramnit-1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\EVENTLOG
Creates FileC:\2409c61bcf8ff5d314cc6cda0fe64abff6818f5cmgr.exe
Creates ProcessC:\2409c61bcf8ff5d314cc6cda0fe64abff6818f5cmgr.exe

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

Creates Mutex{37FFF72F-FE56-017C-F492-53D699461D45}
Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit ➝
C:\WINDOWS\system32\userinit.exe,,C:\Program Files\huettqja\pbvjeqsq.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20130508_125854937.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Program Files\huettqja\pbvjeqsq.exe
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe
Creates FileC:\Program Files\huettqja\px3.tmp
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\pbvjeqsq.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\Program Files\Internet Explorer\dmlconf.dat
Creates FileC:\2409c61bcf8ff5d314cc6cda0fe64abff6818f5cmgr.exe
Deletes FileC:\Program Files\huettqja\px3.tmp
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{37FFF72F-FE56-017C-F492-53D69CA21D45}
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{37FFEB21-FE56-017C-F492-53D695A61D45}

Process
↳ C:\2409c61bcf8ff5d314cc6cda0fe64abff6818f5cmgr.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM1.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM2.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM2.tmp

Network Details:

DNSgoogle.com
Type: A
62.253.3.94
DNSgoogle.com
Type: A
62.253.3.119
DNSgoogle.com
Type: A
62.253.3.109
DNSgoogle.com
Type: A
62.253.3.108
DNSgoogle.com
Type: A
62.253.3.84
DNSgoogle.com
Type: A
62.253.3.93
DNSgoogle.com
Type: A
62.253.3.123
DNSgoogle.com
Type: A
62.253.3.118
DNSgoogle.com
Type: A
62.253.3.99
DNSgoogle.com
Type: A
62.253.3.103
DNSgoogle.com
Type: A
62.253.3.104
DNSgoogle.com
Type: A
62.253.3.98
DNSgoogle.com
Type: A
62.253.3.88
DNSgoogle.com
Type: A
62.253.3.114
DNSgoogle.com
Type: A
62.253.3.113
DNSgoogle.com
Type: A
62.253.3.89
DNSytioghfdghvcfgbgvdf.com
Type: A
109.74.196.143
DNSytioghfdghvcfgbgvdf.com
Type: A
109.74.196.143
DNSawrcaverybrstuktdybstr.com
Type: A
109.74.196.143
DNSawrcaverybrstuktdybstr.com
Type: A
109.74.196.143
Flows TCP192.168.1.1:1033 ➝ 62.253.3.94:80
Flows TCP192.168.1.1:1034 ➝ 109.74.196.143:443
Flows TCP192.168.1.1:1035 ➝ 109.74.196.143:443
Flows TCP192.168.1.1:1036 ➝ 109.74.196.143:443
Flows TCP192.168.1.1:1037 ➝ 109.74.196.143:443

Raw Pcap

Strings
\\.\:
...
.
.
..:\
_
:\.00-+ 
 
e
 
\
.
\
{----}
..
.
9
ZC
..
.
w
D.MM.O.m
ZbM.
040904b0
2.80.011
Autodesk
Autodesk Licensing Service
CompanyName
FileDescription
FileVersion
         (((((                  H
ice                                         
jjjjjj
(null)
on                                                    
ProductName
StringFileInfo
System Level Service Utility
Translation
VarFileInfo
VS_VERSION_INFO
[~'!.~
[~'!.|
[|'!.`
[_'!.@
[@'!.\
05AE46C9-B8F1-4356-B6A1-45C7768444F8
0ECA17E3-C1AE-4b96-89EF-8F8F0D78AF81
0hDsA9
*0\m(X
0u4Xt`X6H`
1hrsd9HT
1hSsk9
^_1m[/
1y	sDr"
286DF484-B4A6-481b-B3FF-C3644AC7385A
2&dHIo
2hHs]9
2MBS*9
2n6+\j
#[2?tu;
2UljQ9
2v<y	2
2Z.F9S
3h`sk9CT
4h=sn9
!4MJ)MzH
4"o7QM
5Le	-b<
6M16tyR
6yo%3O!
7CffWF
7'O<@y%
7)+TUr
8\8n\:
89=@LA
8I1fz>
8K&Sj#4o
;;8nyz
(>:}9|
95T8>+
98T6>F
_9=`aA
9AT9>Q
9aT=>J
9ATY>d
9CT&>^
9CTL>H
9D7hfd
9DTw>4
9eTW>^
9fT$>+
9fT >7
9FTk>R
9FTk>t
9GT;>J
9GTj>u
9hasM9
9hT!>:
9hTd>)
9HT^>d
9hT#>J
9hTr>%
9iTh><
9ITn>B
9jT]>	
9jTD>*
9kT >d
9lT">I
9mT@>N
9NT >.
9nTV>[
9nTV>7
9n;[z3q|]Y}
%/9o39Dy
9oT+>/
9oTr>[
9oTr>n
9oTW>Y
9qgGl< 'G
9qT->A
9QTM>:
9qTR>E
9qTu>O
9rTn>5
9RTR>|
9rTS>;
9ST\>l
9>T,><
9!T*>:
9%T1>x
9+T5>"
9(T5>4
9~Tb>2
9=TC>_
9_Td>(
9.Td>A
9$Td>r
9)Te>-
9+Te>4
9:Tf>v
9@TG>S
9:TJ>u
9~Tl>:
9-TO>(
9tTr>g
9{Tu>|
9"Tv>Z
9 T_>W
9[TX>}
9^TY>b
9uTd>)
?9Uz7?
9WT2>Y
9wT	>n
9wTQ>=
9wTq>l
_9=XLA
9YT$>"
9YTa>=
9YTe>$
9zT_>K
9zTT>m
[}'!.a
[%{'a\
[a+!.}
*A57J^
]a/%A#
abnormal program termination
AddAccessAllowedAce
AddAccessAllowedAceEx
AdskScSrv
ADSKSCVD
AdvAPI32.DLL
ADVAPI32.dll
Ah7sL9
Ah	s&9JTt>
Ah?sR9
a_!.J4
AllocateAndInitializeSid
'!an2E
Anchor service for Autodesk products licensed with SafeCast
aP/##	
August
Autodesk
Autodesk Licensing Service
[a'!.v
.?AVexception@@
.?AVlength_error@std@@
.?AVlogic_error@std@@
.?AVout_of_range@std@@
.?AVtype_info@@
AX+*e0
AYwEbK
[b'!.~
[]'!.B
%b2<j.nf
%[b*30Sj
B5E5E000
b8b/t2
[b-[GH
BhKsY9IT'>
bhmsL9
`;bqpV
BR:vT2
\\.\%c:
Cannot create event to signal service termination
Cannot report status to service control manager
\cF1E1
ch]s.9
,]cjUHot
CloseHandle
CloseServiceHandle
CompareStringA
CompareStringW
ConnectNamedPipe
Copyright (c) 1998-2007 Macrovision Corp.2.80.011
CreateDirectoryA
CreateEventA
CreateFileA
CreateFileMappingA
CreateMutexA
CreateNamedPipeA
CreateProcessA
CreateThread
CreateWaitableTimerA
Creation of service pipe failed
@.data
dddd, MMMM dd, yyyy
December
DeleteCriticalSection
DeregisterEventSource
\DEVICE\HARDDISK
DeviceIoControl
d.gNAp!
dhjsb9
dh<ss9'T
Dh@sw93T
Dh	sY9HT
DisconnectNamedPipe
DK=QLL
*DLoc t
[d'!.m
DOMAIN error
[d'!.x
dYtfZ:
 =ECS^
EnterCriticalSection
"e^w]HM
ExitProcess
eX-x:?y;
e.-zF#
[_'!)F
[['!.F
F(_^][
,f9=\NA
F$9^$t)9^ t$9^
Failed to create thread
Failed to create timer thread
February
FE"S*9
]fF{};WwMb
FhMs]9|Tw>
FindClose
FindFirstFileA
FindNextFileA
- floating point not loaded
FlushFileBuffers
fpYW/k
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
FreeSid
Friday
-frw_q
[f!!.w
[{'!.g
[g'!.{
[['!.G
G;!1@"QI
(g\6e?
G;=`aA
ga%`k^
GetAce
GetACP
GetActiveWindow
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentThreadId
GetDriveTypeA
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileType
GetLastActivePopup
GetLastError
GetLengthSid
GetLocalTime
GetModuleFileNameA
GetModuleHandleA
GetNamedSecurityInfo
GetNamedSecurityInfoA
GetOEMCP
GetOverlappedResult
GetProcAddress
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemDirectoryA
GetSystemTime
GetTickCount
GetTimeZoneInformation
GetVersion
GetVersionExA
GetVolumeInformationA
GetWindowsDirectoryA
gGJ	Tp
^g+K_i
Global\
Global\%0X-
__GLOBAL_HEAP_SELECTED
+G;LT8<g<
g	u"7_
	\?GVMY
G)z /w
`h````
h0s496T
h0s?9KT|>q
h0s*9)T
h0sg9 Tb>
h1s&9HT
>h1s(9@T
(h1sd9
]h2so9
h3s_9?T
h5s69BT
[h6!.r
h7s?9!T]>
h7s}9^T
h9s&9ZTU>
`h9sN9.T
hAsU9MT">
&hbs@9
hbsQ9RTe>
HCLHbv
hCp<Pi t_7
!hCs]9MT
hcsg9=TN>y
$hCsi9
:hDs19
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
hEs897T
hesm9vT
hfsA9KT
hGs29nT
?hGs!9
hgsz9!T^>R
hHsA9wT
hh)so9
HHtpHHtl
hIs%9nTd>
/hisG9.T
\hj=L>
-hjs*9
/hjs?9
hKs-9(T
hksj9LT
*hksz9|T
hls?9\T
hLsO9yT#>m
H:mm:ss
hNs79ET
/hNs)9
hns 9WT0>=
hos59YT
hos^9RT
hOs^9;T
hPs/9LT
hps'9	T
hPst9?T
[h'!.q
*hQs{9
[h'!.r
	hRs99
hrs=9rT*>)
hRs\9@T
"h]s09
#h+s09
h^s29rT
'h&s49
h,s69QTm>
@h_s/9
*h.s|9
	h	s#9
h)s}93T
h"s@9dTh>R
$h-s:9rT
h*s>9"T
h+s`9(Te>
	h!s@9>TM>X
h,s:9uT
h&s,9uT
h~s_9yT
}h}s_9YT
h=se9dT
h,se9dT
+h}sf9CT&>Y
)h-sg9sT
%h}sg9&TJ>
h sK9]T?>C
h_sl9CT
h~sL9jT0>
h*sn9mT2>^
h(so93TB>
#h sP9
#hSsZ9MT
h)sT9vT
HSVHWtgHHtF
h|sw9|TH>z
@h sZ9;T
[h'!.t
'hTsI9
?htsX9
HtvHtHHt
,husz9VT
h"w503
H\Xn$T$
HYtGHt
HY_^Z[
-hZs)9
,hZst9
[i7!.q
Ii=oJ=
iM`x!>
Initialisation of Security Descriptor failed
InitializeAcl
InitializeCriticalSection
InitializeSecurityDescriptor
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
%I?n(\V
invalid string position
IsBadCodePtr
IsBadReadPtr
IsBadWritePtr
[i'!.u
-&Iw|;
[j'!.@
[j6!.i
j9LUF[/
JanFebMarAprMayJunJulAugSepOctNovDec
January
;Ji#4	v
j}i5v{?
JI=bVV:y
J}O^fiu
)>j&on
JoVYsx
jYO+Oa
Jz3d>[
kernel32.dll
KERNEL32.dll
Kh`sK9#T=>n
KhSsu9
k~~ QL4
:Kr"hR>
k~~ RJ:
%(k%w[
Kx1V>[=
.K*&XW
l |C/!
LCMapStringA
LCMapStringW
LeaveCriticalSection
 #%L?f
Lhrsz9
lh+sO9?T:>N
LoadLibraryA
LocalSystem
[l'!.p
[l'!.q
[l'!.t
[l'!&w
MapViewOfFile
MDI_Disable
M/d/yy
MessageBoxA
M(fV>\
mgr.exe
mh}s(9
Microsoft Visual C++ Runtime Library
Monday
[m'!.q
mR74OI
mR74|z
__MSVCRT_HEAP_SELECT
MultiByteToWideChar
MV1rM:
Mvi3KLQ
Mz:e_7
N1uN_#
	N3(LR/!
nB1ai9
NCL"!{Zd
n,G"6T
NHLi:;M8
nh{sS9
N"m\&a
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
nr+k!8
(null)
[}'!.o
October
oF$[H5
Ohds(9MT	>>
Ohj~ U[#
OhWs=9XT
<oL 4mk
OpenMutexA
OpenProcess
OpenSCManagerA
OpenServiceA
OXK}5"
_oybQ6
p>:6 d
P'AC=I
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD`
!p[@Ci
ph0sc9sT
PhjsX9
ph:sh9
\\.\PHYSICALDRIVE
\\.\PHYSICALDRIVE0
\\.\pipe\
Pipe broken
[P'!.M
PPPh2=@
PPPPPPPP
ppxxxx
$P`+*r
Program: 
<program name unknown>
PShHFA
Pt:M[-
pu2ni[
- pure virtual function call
PWhHEA
PWVh# @
&Py&`L"
<qb!Uf
qh2s39
qh5s?9
qhms>9
Ql*!K]s&
[q'!.n
qnd]wY
QQSVW3
QQSVWd
QQSVWj
QueryDosDeviceA
QueryServiceConfigA
RaiseException
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyExA
RegisterEventSourceA
RegisterServiceCtrlHandlerA
Registration of service control code handler failed
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
ReleaseMutex
ReportEventA
ResumeThread
Rh-sO9
RkX	&$"
|~rL*"
rl'Q5T
[r'!.n
RNH)B@
Robot Structural Analysis Pro 2009
RPhHEA
RtlUnwind
runtime error 
Runtime Error!
[{'!.s
s095T8>f
s09=T$>
s59_Ts>
s{8\1u}4
s898Ti>C
s89HTH>
s$91TQ>
s"97T!>
s%97T0>
s99VTr>Q
s!9ATr>
s?9DTf>
s_9fT>>
s>9gTz>
s~9jT>>
s~9lT6>
s(9MT7>
s=9OTD>
s+9PT#>
s|9ST7>3
s&9sTJ>
s~9sTQ>
s*9^T&>#
s%9,T!>
s+9*T">
s\9?T2>J
s$9-T7>
s=9@TC>
s!9.TG>
s+9<Th>:
s\9"To>
s)9>To>R
s_9`Tq>
s^9}Ts>
s-9^T(>V
s%9-Tx>Y
s[9UT`><
s+9UTH>
s|9ZT'>
s$9zTl>>
s.9zTV>6
Saturday
sC9tTG>$
Sc,zC 
Sd\2t<x
sd9CTD>
sD9.TV>
sD9=Tw>
September
SetEntriesInAcl
SetEntriesInAclA
SetEnvironmentVariableA
SetEvent
SetFilePointer
SetHandleCount
SetLastError
SetNamedSecurityInfo
SetNamedSecurityInfoA
SetSecurityDescriptorDacl
SetSecurityDescriptorDacl() failed
SetServiceStatus
SetServiceStatus failed
SetStdHandle
SetUnhandledExceptionFilter
SetWaitableTimer
sf94TB>
sG9oT1>8
sg9$T>>
sh9pT_><
sH9_Tv>2
shfolder.dll
SHGetFolderPathA
Sh@sT9`TA>
sI96N|
si9\TE>N
SING error
sj97x-+|
sj9p1sP>
sj9=r'
sJ9\Tl>9
sj9ZTw>2
sK9bTt>
sK9eTk>
sk9WTd><
sl9~T~>
s Lmnr
sm97Te>
sm98T+>
sM9LT3>
sM9xTS>o
sM9zTd>a
sn9oT>>a
sn9?T3>
[S'!.O
sO9:T~>U
sO;>|C;~
Software Licenses
SOFTWARE\%s\Licenses\%s
SOFTWARE\%s\Licenses\%s\Parameters
sP9lTm>
SPhHEA
sq99T1>S
sQ9!Te>
sR9lT9>
sR9"TB>
SRQWVj
SS@SSPVSS
st9]TD>
StartServiceCtrlDispatcherA
StartServiceCtrlDispatcher() failed
string too long
sU9HT:>=
su9PT >r
Sunday
SunMonTueWedThuFriSat
SuspendThread
sV9-T=>y
sw9KT*>
sW9RTW>
sx9PTz>"
sX9?TL>O
sx9Y=u|7
SxTz!f
sy9sTz>
.\System
sZ95T4>b
sz9NTe>I
sZ9_Td>
]T	EK;/
TerminateProcess
@.text
<]t_G<-uA
ThHs`9
!This program cannot be run in DOS mode.
Thursday
t -{%L
TLOSS error
TlsAlloc
TlsGetValue
TlsSetValue
tn8uW+
{tRIGX
t#SSUP
t.;t$$t(
Tuesday
t$$VSS
t*VVh'=@
t/WWUPj
#u	Cofoa
>:u#FV
Uh	s.91T
u]j Qn=
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
>:uNFV
UnhandledExceptionFilter
Unknown exception
UnmapViewOfFile
[U'!.q
uRFGHt
user32.dll
USER32.dll
Uu],qLjO
u?VVVj
u]W7a+
UXK	X9
VC20XC00U
VD&'7.@
Vh1BQ7
VHc!A1
vhQse92T[>
&#vi1k
,Vi9`J
VirtualAlloc
VirtualFree
[v'!.k
&Vl1si[
V{N=~\
Vq{J3KH
&Vu3V>[
[V'!.w
VWh0EA
VWQRSj
VWuBhP
[W0!.	
}w3V>Q
_w5u[	
WaitForMultipleObjectsEx
WaitForSingleObject
WaitForSingleObjectEx
WaitForSingleObject() failed
W!'bV>
Wednesday
Wh=sX9&T
WideCharToMultiByte
[w'!.k
[W'!.K
[w'!.l
wlupTeZ
#Wm;j[)
WPSSSSSSh 
WPSSSSSSSS
wq	-y,
WriteFile
wsprintfA
WWWh[-@
[x'!.c
[x'!.d
Xh`sa9
Xo1Q[5
Xp@G@U
,]XR[)	]
<X=RMo
\x!sW/
$Xv1V>[
Xvtb_5
x	yap c$
Y}5.]V
Y95`aA
[y'!.e
yF#4QW
yhes_9FT
Yhhs_9bTQ>7
yhKsF94T
yI *Rr
Y	SpDr
_^][YY
YYF;5`aA
]z `>[
[z'!4t
~Z7J("
[z'!.f
zh-si9
`@=z(+M;{
z*M	>p`
zZkCVH5A